Download - Cryptographic Schemes Based on Isogenies
Cryptographic Schemes Based on Isogenies
Anton Stolbunov
Trondheim, January 23, 2012
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
2 / 22
Outline
[Ch. 1] Introduction
[Ch. 2] Constructing Cryptographic Schemes Based on Isogenies
[Ch. 3] Security Reductions for Schemes Based on Group Action
[Ch. 4] Improved Algorithm for the Isogeny Problem
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
3 / 22
Motivation for Research
— security of current asymmetric cryptographic schemes isdecreasing (index calculus algorithms, Shor’s algorithm, etc.);
— cryptographic schemes based on new hard computationalproblems are needed;
— elliptic curves and imaginary quadratic fields are well studiedand good algorithms are available.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
4 / 22
Research Questions
1. How can isogenies between ordinary elliptic curves be usedfor building cryptographic schemes? Which schemes can bebuilt? What is the efficiency of such schemes?
2. On which computational problems does the security of theproposed schemes depend?
3. What is the computational complexity of these problems?
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
5 / 22
Related Work: Cryptographic SchemesBased on Isogenies
[Teske 2003] key escrow system;[Rostovtsev et al. 2004] ordered digital signature scheme;[Rostovtsev, Stolbunov 2006] public-key encryption scheme;[Couveignes 2006] key agreement, authentication and Σ-protocols[Charles et al. 2009] hash using supersingular-curve isogenies;[Weiwei, Debiao 2010], [Debiao et al. 2011] authenticated key
agreement protocols;[Jao, De Feo 2011] key agreement and public-key encryption
using supersingular-curve isogenies.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
6 / 22
Elliptic CurvesLet F be a field, char(F ) 6= 2,3.An elliptic curve E/F is a non-singularalgebraic curve defined by
Y 2 = X 3 + aX + b,
where a and b lie in F .
Let L ⊇ F be an extension field.E(L) := {points over L} ∪ {P∞} is calledthe group of points of E over L.
j(E) := 17284a3
4a3 + 27b2 the j-invariant.
ExampleE(F47) :Y 2 = X 3 + X + 5
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
7 / 22
IsogeniesAn isogeny φ from E1 to E2 is a (nonconstant) homomorphism
φ : E1(F )→ E2(F )
that is given by rational functions.
Example (cont.)E1/F47 : Y 2 = X 3 + X + 5, j(E1) = 27;E2/F47 : Y 2 = X 3 + 32X + 19, j(E2) = 24.
φ : E1 → E2
(X ,Y ) 7→(
X 2 − 17X + 22X − 17
,X 2 + 13X − 15X 2 + 13X + 7
Y).
ker(φ) = {(17,0),P∞}, deg(φ) = 2.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
8 / 22
Class Group Action on j-Invariants in CLet K be an imaginary quadratic field and OK its ring of integers.CL(OK ) = {[a1], . . . , [ah]} ideal class group of OK .ELLσ(OK ) := {j(a1), . . . , j(ah)} set of j-invariants of the fractionalideals of OK for a fixed embedding σ of K in C.The action ∗ of CL(OK ) on ELLσ(OK ) is defined as
∗ : CL(OK )× ELLσ(OK ) → ELLσ(OK )
([a], j(b)) 7→ j(a−1b).
H = K (j(OK )) Hilbert class field of K . All j(ai) lie in OH .p a prime ideal of OH above a prime p that splits completely in OH .Reduction modulo p maps the elements j(ai) to j-invariants ofordinary elliptic curves over OH/p ∼= Fp.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
9 / 22
Class Group Action on a Set ofIsogenous Ordinary Elliptic CurvesELLp,n(OK ) := {j(E/Fp) : #E(Fp) = n, End(E) ∼= OK}.The group CL(OK ) acts simply transitively on the set ELLp,n(OK ).
Example (cont.)E : Y 2 = X 3 + X + 5 over F47. j(E) = 27. EndF47
(E) ∼= O−152.
CL(O−152) Permutations on ELL47,42(O−152)
g = [(3,2, ·)] (27 12 15 24 41 19)g2 = [(6,4, ·)] (27 15 41)(19 12 24)g3 = [(2,0, ·)] (27 24)(19 15)(41 12)g4 = [(6,−4, ·)] (27 41 15)(19 24 12)g5 = [(3,−2, ·)] (27 19 41 24 15 12)g6 = [(1,0, ·)] (27)(19)(41)(24)(15)(12)
27 //
&&
WW
��
12
��
��
GG
��
19
BB 88
oo // 15
��xx41
\\
OO
24oo
ff
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
CONSTRUCTING CRYPTOGRAPHIC
SCHEMES BASED ON ISOGENIES
(Chapter 2)
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
11 / 22
Key Agreement Protocol KA1System parametersFinite abelian group G acting by ∗ on a set X ; an element x ∈ X .
The protocol (simplified)
A B
Input: − Input: −a R←− G b R←− GmA ← a ∗ x mB ← b ∗ x
mA //mBoo
kA ← a ∗mB kB ← b ∗mAOutput: kA Output: kB
mA
b
��x
aFF
b
��
k
mB
a
FF
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
12 / 22
More Schemes Based on Group Action
— public-key encryption scheme PE ;— authenticated key agreement protocols;— digital signature scheme;— secret-key encryption scheme;— no-key secret message transfer protocol;— commitment scheme.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
13 / 22
Proposed Implementation Detailsfor Schemes Based on Isogenies
— system parameter generation algorithm;— representation of elements of CL(OK );— efficient implementation of class group action on ELLp,n(OK ).
One action is O(log(p)5.3) bit operations;— random sampling from the class group;— pseudo-random sampling from a large class group.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
14 / 22
Practical ImplementationCreated an open-source package ClassEll for PARI/GP.
Average serial running time of one class group action
Security (bits) dlog pe (bits) Time (seconds)
75 224 19
80 244 2196 304 56112 364 90128 428 229
timings for Intel Core i7 920 @ 3.6 GHz
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
SECURITY REDUCTIONS
FOR SCHEMES BASED ON GROUP ACTION
(Chapter 3)
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
16 / 22
Computational ProblemsAn abelian group G acts by ∗ on a set X .
Problem (Group Action Inverse (GAIP))Given x , y ∈ G ∗ x, find g such that g ∗ x = y.
x ? // y
Problem (Decisional Diffie-Hellman GroupAction (DDHAP))Given x , y , z, r ∈ G ∗ x,decide whether r = (ab) ∗ x for some a and bsatisfying y = a ∗ x and z = b ∗ x.
yb��
x
a DD
b��
k? r
zaDD
Reducibility of ProblemsCan solve GAIP =⇒ can solve DDHAP.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
17 / 22
Security Reductions
TheoremIf the DDHAP is hard, then the KA1 protocol is secure in thesession-key authenticated-link model of Canetti and Krawczyk.
TheoremIf the DDHAP is hard and the hash function family is entropysmoothing, then the PE encryption scheme is IND-CPA secure(indistinguishability of encryptions in the chosen-plaintext attack).
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
IMPROVED ALGORITHM
FOR THE ISOGENY PROBLEM
(Chapter 4)
Co-authored with Steven Galbraith
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
19 / 22
The Isogeny ProblemProblem (Isogeny Problem for Ordinary Elliptic Curves)Let E1/Fq and E2/Fq be ordinary elliptic curves satisfying#E1(Fq) = #E2(Fq). Compute an Fq-isogeny φ : E1 → E2.
Can solve IP with “comparable conductors”⇐⇒ can solve CL-GAIP.
Exponential-Time Classical Algorithms[Galbraith 1999] uses an O(
√# ELL) database of elliptic curves;
[Galbraith, Hess and Smart (GHS) 2002] use the parallel collisionsearch algorithm. We improve the GHS algorithm.
Subexponential-Time Quantum Algorithm[Childs, Jao and Soukharev 2010] use algorithms for the hidden
shift problem.www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
20 / 22
Proposed GHS ImprovementOur ideaModify the random walk on the isogeny graph such thatlower-degree (i.e. faster) isogenies are used more often.
Results
— provided formulae for the expected running time of the parallelcollision search with uneven partitioning, and its variance;
— experimentally measured the average running time for variouspartitionings with ±0.1 % precision and 99.7 % confidence;
— results apply to generic adding walks with uneven partitioning;— gave recommendations on frequencies of isogeny degrees;— asymptotic complexity of isogeny search is
O(
q1/4+o(1) log2(q) log(log(q)))
operations in Fq.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
21 / 22
Quantified Improvement over GHSExpected time of an isogeny search over a 160-bit prime fieldusing ClassEll on a single-core 2.67 GHz CPU, years
geometric progression ratio of partitioning
# partitions 1 3/4 1/2 1/3 1/4
4 8708 6940 5429 4727 46905 6455 4495 2758 1925 16526 5514 3396 1755 1130 9887 5068 2827 1334 904 8588 4891 2530 1154 847 8489 4930 2415 1093 842 85610 5549 2548 1110 858 87012 7409 2915 1157 891 90314 9519 3255 1205 923 93216 12200 3541 1242 949 955
Approximately 14× improvement over the GHS algorithm!www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies
22 / 22
Conclusions
— many cryptographic schemes can be implemented usingordinary-curve isogenies;
— cryptographic operations are polynomial-time, but slower thancontemporary alternatives;
— exponential complexity of the isogeny problem in thepre-quantum world. Short keys and low bandwidth usage.
www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies